Added new flow risk NDPI_HTTP_OBSOLETE_SERVER. Currently Apache and nginx are supported

4 files changed, 52 insertions, 9 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index b0bff8bb1..e6cc194e5 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -120,7 +120,8 @@ typedef enum {
   NDPI_UNIDIRECTIONAL_TRAFFIC, /* NOTE: as nDPI can detect a protocol with one packet, make sure
 				  your app will clear this risk if future packets (not sent to nDPI)
 				  are received in the opposite direction */
-  
+
+  NDPI_HTTP_OBSOLETE_SERVER,
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
 } ndpi_risk_enum;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 6061d6419..7c3f63d64 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -165,7 +165,8 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_HTTP_CRAWLER_BOT,                      NDPI_RISK_LOW,    CLIENT_LOW_RISK_PERCENTAGE,  NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_ANONYMOUS_SUBSCRIBER,                  NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_UNIDIRECTIONAL_TRAFFIC,                NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-
+  { NDPI_HTTP_OBSOLETE_SERVER,                  NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE,  NDPI_SERVER_ACCOUNTABLE },
+  
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY   }
 };
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 7a34b0b76..9d5ea70bc 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1934,6 +1934,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     return("Unidirectional Traffic");
     break;
 
+  case NDPI_HTTP_OBSOLETE_SERVER:
+    return("HTTP Obsolete Server");
+    break;
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 80c4c8041..34c6f5594 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -636,6 +636,47 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct
 
 /* ************************************************************* */
 
+#define MIN_APACHE_VERSION 2004000 /* 2.4.X  [https://endoflife.date/apache] */
+#define MIN_NGINX_VERSION  1022000 /* 1.22.0 [https://endoflife.date/nginx]  */
+
+static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_struct,
+				   struct ndpi_flow_struct *flow,
+				   const char *server, u_int server_len) {
+  if(server_len > 7) {
+    u_int off;
+  
+    if(strncmp((const char *)server, "ntopng ", 7) == 0) {
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
+      NDPI_CLR_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+    } else if((strncasecmp(server, "Apache/", off = 7) == 0) /* X.X.X */
+	      || (strncasecmp(server, "nginx/", off = 6) == 0) /* X.X.X */) {
+      u_int i, j, a, b, c;
+      char buf[16] = { '\0' };
+
+      for(i=off, j=0; (i<server_len) && (server[i] != ' ') && (j<sizeof(buf)); i++)
+	buf[j++] = server[i];      
+
+      if(sscanf(buf, "%d.%d.%d", &a, &b, &c) == 3) {
+	u_int32_t version = (a * 1000000) + (b * 1000) + c;
+
+	if((off == 7) && (version < MIN_APACHE_VERSION)) {
+	  char msg[64];
+
+	  snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf);
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
+	} else if((off == 6) && (version < MIN_NGINX_VERSION)) {
+	  char msg[64];
+
+	  snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf);
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
+	}
+      }
+    }
+  }
+}
+
+/* ************************************************************* */
+
 /**
    NOTE
    ndpi_parse_packet_line_info is in ndpi_main.c
@@ -699,13 +740,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
-  if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) {
-    if(strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) {
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
-      NDPI_CLR_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
-    }
-  }
-
+  if(packet->server_line.ptr != NULL)
+    ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len);
+ 
   if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) {
     ret = http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len);
     /* TODO: Is it correct to avoid setting ua, host_name,... if we have a (Netflix) subclassification? */